Net-Worm.Win32.CodeRed.a (Kaspersky Lab)
|Affected platform/s||Microsoft Windows|
Code Red is a worm observed on the Internet on July 13, 2001 that replicates between Windows 2000 servers running Microsoft's IIS (Internet Information Services) and the Microsoft Index Server 2.0 or the Windows 2000 Indexing Service. It does this by exploiting a bug known as "Unchecked Buffer in the Index Server ISAPI Extension," described by Microsoft in the Microsoft Security Bulletin MS01-033, released on June 18th, 2001.
Using a specially crafted string sent to HTTP servers over the Internet, the worm manages to overwrite a variable in the a module named "idq.dll"; thus, forcing the system to jump to an incorrect address, executing the worm code. When run, the worm code will start to create copies of itself in the memory in order to attack even more IIS servers at the same time. The addresses of the servers that the worms attacks are generated random, but because of a bug, each copy of the worm will try to attack the same list of servers, greatly reducing its overall "attack power."
Apparently, the author also noticed this bug, because a few days after the first variant of the worm appeared in the wild, a second, fixed variant was found as well. This second variant known as ".B" or "v2", generates completely random IP addresses streams, with much higher chances to spread than the initial version.
Interestingly, there's a bug in the worm which causes that instead of 100 expected copies of itself running of every infected machine, much, much more are created, wasting large amounts of CPU and memory resources, thus slowing the server, and again, making the worm replication even less efficient. This bug depends on a lot of factors, and will not always show itself - sometimes, the code will operate as expected, and only create 100 threads.
The main worm payload is run if the current date of the month is between the 20th and 27th, inclusively. Then, it will attempt to connect to an IP address associated with the popular site 'www.whitehouse.gov', and tries to flood it with connection attempts.